Skip to main content

FilterRule

windows_wfp::filter

Struct FilterRule 

Source 
pub struct FilterRule {
    pub name: String,
    pub direction: Direction,
    pub action: Action,
    pub weight: u64,
    pub app_path: Option<PathBuf>,
    pub service_name: Option<String>,
    pub app_container_sid: Option<String>,
    pub local_ip: Option<IpAddrMask>,
    pub remote_ip: Option<IpAddrMask>,
    pub local_port: Option<u16>,
    pub remote_port: Option<u16>,
    pub protocol: Option<Protocol>,
}
Expand description

A WFP filter rule definition

Describes a firewall filter to be applied via the Windows Filtering Platform. All condition fields are optional — omitting a condition means “match all” for that field.

§Examples

use windows_wfp::{FilterRule, Direction, Action, FilterWeight};
use std::path::PathBuf;

// Block all outbound traffic from curl.exe
let rule = FilterRule::new("Block curl", Direction::Outbound, Action::Block)
    .with_weight(FilterWeight::UserBlock)
    .with_app_path(r"C:\Windows\System32\curl.exe");

// Allow all outbound traffic (no conditions = match all)
let allow_all = FilterRule::new("Allow all", Direction::Outbound, Action::Permit)
    .with_weight(FilterWeight::DefaultPermit);

Fields§

§name: String

Human-readable rule name (displayed in WFP management tools)

§direction: Direction

Traffic direction

§action: Action

Action to take (permit or block)

§weight: u64

Filter priority (higher weight = evaluated first)

§app_path: Option<PathBuf>

Application executable path (auto-converted to NT kernel path)

§service_name: Option<String>

Windows service name (matched via service SID)

§app_container_sid: Option<String>

AppContainer SID (for UWP/packaged apps)

§local_ip: Option<IpAddrMask>

Local IP address with CIDR mask

§remote_ip: Option<IpAddrMask>

Remote IP address with CIDR mask

§local_port: Option<u16>

Local port number (1-65535)

§remote_port: Option<u16>

Remote port number (1-65535)

§protocol: Option<Protocol>

IP protocol (TCP, UDP, ICMP, etc.)

Implementations§

Source§

impl FilterRule

Source

pub fn new( name: impl Into<String>, direction: Direction, action: Action, ) -> Self

Create a new filter rule with required fields

Examples found in repository?
examples/simple_block.rs (line 38)
24fn main() -> WfpResult<()> {
25    println!("TRusTY Wall - Simple Block Demo\n");
26
27    // Initialize WFP
28    println!("Opening WFP Engine...");
29    let engine = WfpEngine::new()?;
30    println!("Engine opened\n");
31
32    println!("Registering provider...");
33    initialize_wfp(&engine)?;
34    println!("Provider registered\n");
35
36    // Block notepad.exe outbound connections
37    println!("Adding block filter for notepad.exe...");
38    let notepad_rule = FilterRule::new("Block Notepad", Direction::Outbound, Action::Block)
39        .with_weight(FilterWeight::UserBlock)
40        .with_app_path(r"C:\Windows\System32\notepad.exe");
41
42    let filter_id = FilterBuilder::add_filter(&engine, &notepad_rule)?;
43    println!("Filter added (ID: {})\n", filter_id);
44
45    println!("Filter active for 10 seconds...");
46    println!("   (Try opening notepad.exe and accessing network)\n");
47
48    for i in (1..=10).rev() {
49        println!("   {} seconds remaining...", i);
50        thread::sleep(Duration::from_secs(1));
51    }
52
53    println!("\nRemoving filter...");
54    FilterBuilder::delete_filter(&engine, filter_id)?;
55    println!("Filter removed\n");
56
57    println!("Demo complete!");
58    Ok(())
59}
More examples
Hide additional examples
examples/live_demo.rs (line 66)
32fn main() -> WfpResult<()> {
33    println!("TRusTY Wall - Live WFP Demo");
34    println!("================================\n");
35
36    // Check for admin privileges
37    if !is_elevated() {
38        eprintln!("ERROR: This demo requires Administrator privileges!");
39        eprintln!("   Please run: cargo run --example live_demo --release");
40        eprintln!("   from an Administrator command prompt.\n");
41        std::process::exit(1);
42    }
43
44    println!("Running with Administrator privileges\n");
45
46    // Step 1: Initialize WFP Engine
47    println!("Step 1: Opening WFP Engine session...");
48    let engine = WfpEngine::new()?;
49    println!("   Engine session opened\n");
50
51    // Step 2: Register Provider & Sublayer
52    println!("Step 2: Registering WFP provider & sublayer...");
53    initialize_wfp(&engine)?;
54    println!("   Provider & sublayer registered\n");
55
56    // Step 3: Subscribe to network events
57    println!("Step 3: Subscribing to network events...");
58    let event_subscription = WfpEventSubscription::new(&engine)?;
59    println!("   Event subscription active\n");
60
61    // Step 4: Add blocking filter for curl.exe
62    println!("Step 4: Adding block filter for curl.exe...");
63    let curl_path = find_curl_path();
64    println!("   Target: {}", curl_path.display());
65
66    let block_rule = FilterRule::new("Block curl.exe", Direction::Outbound, Action::Block)
67        .with_weight(FilterWeight::UserBlock)
68        .with_app_path(curl_path.clone());
69
70    let filter_id = FilterBuilder::add_filter(&engine, &block_rule)?;
71    println!("   Filter added (ID: {})\n", filter_id);
72
73    // Step 5: Monitor events
74    println!("Step 5: Monitoring network events...");
75    println!("   Press Ctrl+C to stop\n");
76    println!("TIP: In another terminal, run:");
77    println!("   > curl https://google.com");
78    println!("   You should see the connection BLOCKED below!\n");
79    println!("===================================================\n");
80
81    let start_time = std::time::Instant::now();
82    let mut event_count = 0;
83
84    loop {
85        match event_subscription.try_recv() {
86            Ok(event) => {
87                event_count += 1;
88                print_event(&event, event_count);
89            }
90            Err(std::sync::mpsc::TryRecvError::Empty) => {
91                thread::sleep(Duration::from_millis(100));
92            }
93            Err(std::sync::mpsc::TryRecvError::Disconnected) => {
94                println!("\nEvent channel disconnected!");
95                break;
96            }
97        }
98
99        // Auto-stop after 60 seconds for demo
100        if start_time.elapsed() > Duration::from_secs(60) {
101            println!("\nDemo timeout (60s) - stopping...");
102            break;
103        }
104    }
105
106    // Cleanup
107    println!("\nCleaning up...");
108    FilterBuilder::delete_filter(&engine, filter_id)?;
109    println!("   Filter removed");
110    drop(event_subscription);
111    println!("   Event subscription closed");
112    drop(engine);
113    println!("   Engine session closed\n");
114
115    println!("Demo complete! {} events captured.", event_count);
116    Ok(())
117}
Source

pub fn with_weight(self, weight: FilterWeight) -> Self

Set the filter weight (priority)

Examples found in repository?
examples/simple_block.rs (line 39)
24fn main() -> WfpResult<()> {
25    println!("TRusTY Wall - Simple Block Demo\n");
26
27    // Initialize WFP
28    println!("Opening WFP Engine...");
29    let engine = WfpEngine::new()?;
30    println!("Engine opened\n");
31
32    println!("Registering provider...");
33    initialize_wfp(&engine)?;
34    println!("Provider registered\n");
35
36    // Block notepad.exe outbound connections
37    println!("Adding block filter for notepad.exe...");
38    let notepad_rule = FilterRule::new("Block Notepad", Direction::Outbound, Action::Block)
39        .with_weight(FilterWeight::UserBlock)
40        .with_app_path(r"C:\Windows\System32\notepad.exe");
41
42    let filter_id = FilterBuilder::add_filter(&engine, &notepad_rule)?;
43    println!("Filter added (ID: {})\n", filter_id);
44
45    println!("Filter active for 10 seconds...");
46    println!("   (Try opening notepad.exe and accessing network)\n");
47
48    for i in (1..=10).rev() {
49        println!("   {} seconds remaining...", i);
50        thread::sleep(Duration::from_secs(1));
51    }
52
53    println!("\nRemoving filter...");
54    FilterBuilder::delete_filter(&engine, filter_id)?;
55    println!("Filter removed\n");
56
57    println!("Demo complete!");
58    Ok(())
59}
More examples
Hide additional examples
examples/live_demo.rs (line 67)
32fn main() -> WfpResult<()> {
33    println!("TRusTY Wall - Live WFP Demo");
34    println!("================================\n");
35
36    // Check for admin privileges
37    if !is_elevated() {
38        eprintln!("ERROR: This demo requires Administrator privileges!");
39        eprintln!("   Please run: cargo run --example live_demo --release");
40        eprintln!("   from an Administrator command prompt.\n");
41        std::process::exit(1);
42    }
43
44    println!("Running with Administrator privileges\n");
45
46    // Step 1: Initialize WFP Engine
47    println!("Step 1: Opening WFP Engine session...");
48    let engine = WfpEngine::new()?;
49    println!("   Engine session opened\n");
50
51    // Step 2: Register Provider & Sublayer
52    println!("Step 2: Registering WFP provider & sublayer...");
53    initialize_wfp(&engine)?;
54    println!("   Provider & sublayer registered\n");
55
56    // Step 3: Subscribe to network events
57    println!("Step 3: Subscribing to network events...");
58    let event_subscription = WfpEventSubscription::new(&engine)?;
59    println!("   Event subscription active\n");
60
61    // Step 4: Add blocking filter for curl.exe
62    println!("Step 4: Adding block filter for curl.exe...");
63    let curl_path = find_curl_path();
64    println!("   Target: {}", curl_path.display());
65
66    let block_rule = FilterRule::new("Block curl.exe", Direction::Outbound, Action::Block)
67        .with_weight(FilterWeight::UserBlock)
68        .with_app_path(curl_path.clone());
69
70    let filter_id = FilterBuilder::add_filter(&engine, &block_rule)?;
71    println!("   Filter added (ID: {})\n", filter_id);
72
73    // Step 5: Monitor events
74    println!("Step 5: Monitoring network events...");
75    println!("   Press Ctrl+C to stop\n");
76    println!("TIP: In another terminal, run:");
77    println!("   > curl https://google.com");
78    println!("   You should see the connection BLOCKED below!\n");
79    println!("===================================================\n");
80
81    let start_time = std::time::Instant::now();
82    let mut event_count = 0;
83
84    loop {
85        match event_subscription.try_recv() {
86            Ok(event) => {
87                event_count += 1;
88                print_event(&event, event_count);
89            }
90            Err(std::sync::mpsc::TryRecvError::Empty) => {
91                thread::sleep(Duration::from_millis(100));
92            }
93            Err(std::sync::mpsc::TryRecvError::Disconnected) => {
94                println!("\nEvent channel disconnected!");
95                break;
96            }
97        }
98
99        // Auto-stop after 60 seconds for demo
100        if start_time.elapsed() > Duration::from_secs(60) {
101            println!("\nDemo timeout (60s) - stopping...");
102            break;
103        }
104    }
105
106    // Cleanup
107    println!("\nCleaning up...");
108    FilterBuilder::delete_filter(&engine, filter_id)?;
109    println!("   Filter removed");
110    drop(event_subscription);
111    println!("   Event subscription closed");
112    drop(engine);
113    println!("   Engine session closed\n");
114
115    println!("Demo complete! {} events captured.", event_count);
116    Ok(())
117}
Source

pub fn with_raw_weight(self, weight: u64) -> Self

Set a raw weight value

Source

pub fn with_app_path(self, path: impl Into<PathBuf>) -> Self

Set the application path to filter

Examples found in repository?
examples/simple_block.rs (line 40)
24fn main() -> WfpResult<()> {
25    println!("TRusTY Wall - Simple Block Demo\n");
26
27    // Initialize WFP
28    println!("Opening WFP Engine...");
29    let engine = WfpEngine::new()?;
30    println!("Engine opened\n");
31
32    println!("Registering provider...");
33    initialize_wfp(&engine)?;
34    println!("Provider registered\n");
35
36    // Block notepad.exe outbound connections
37    println!("Adding block filter for notepad.exe...");
38    let notepad_rule = FilterRule::new("Block Notepad", Direction::Outbound, Action::Block)
39        .with_weight(FilterWeight::UserBlock)
40        .with_app_path(r"C:\Windows\System32\notepad.exe");
41
42    let filter_id = FilterBuilder::add_filter(&engine, &notepad_rule)?;
43    println!("Filter added (ID: {})\n", filter_id);
44
45    println!("Filter active for 10 seconds...");
46    println!("   (Try opening notepad.exe and accessing network)\n");
47
48    for i in (1..=10).rev() {
49        println!("   {} seconds remaining...", i);
50        thread::sleep(Duration::from_secs(1));
51    }
52
53    println!("\nRemoving filter...");
54    FilterBuilder::delete_filter(&engine, filter_id)?;
55    println!("Filter removed\n");
56
57    println!("Demo complete!");
58    Ok(())
59}
More examples
Hide additional examples
examples/live_demo.rs (line 68)
32fn main() -> WfpResult<()> {
33    println!("TRusTY Wall - Live WFP Demo");
34    println!("================================\n");
35
36    // Check for admin privileges
37    if !is_elevated() {
38        eprintln!("ERROR: This demo requires Administrator privileges!");
39        eprintln!("   Please run: cargo run --example live_demo --release");
40        eprintln!("   from an Administrator command prompt.\n");
41        std::process::exit(1);
42    }
43
44    println!("Running with Administrator privileges\n");
45
46    // Step 1: Initialize WFP Engine
47    println!("Step 1: Opening WFP Engine session...");
48    let engine = WfpEngine::new()?;
49    println!("   Engine session opened\n");
50
51    // Step 2: Register Provider & Sublayer
52    println!("Step 2: Registering WFP provider & sublayer...");
53    initialize_wfp(&engine)?;
54    println!("   Provider & sublayer registered\n");
55
56    // Step 3: Subscribe to network events
57    println!("Step 3: Subscribing to network events...");
58    let event_subscription = WfpEventSubscription::new(&engine)?;
59    println!("   Event subscription active\n");
60
61    // Step 4: Add blocking filter for curl.exe
62    println!("Step 4: Adding block filter for curl.exe...");
63    let curl_path = find_curl_path();
64    println!("   Target: {}", curl_path.display());
65
66    let block_rule = FilterRule::new("Block curl.exe", Direction::Outbound, Action::Block)
67        .with_weight(FilterWeight::UserBlock)
68        .with_app_path(curl_path.clone());
69
70    let filter_id = FilterBuilder::add_filter(&engine, &block_rule)?;
71    println!("   Filter added (ID: {})\n", filter_id);
72
73    // Step 5: Monitor events
74    println!("Step 5: Monitoring network events...");
75    println!("   Press Ctrl+C to stop\n");
76    println!("TIP: In another terminal, run:");
77    println!("   > curl https://google.com");
78    println!("   You should see the connection BLOCKED below!\n");
79    println!("===================================================\n");
80
81    let start_time = std::time::Instant::now();
82    let mut event_count = 0;
83
84    loop {
85        match event_subscription.try_recv() {
86            Ok(event) => {
87                event_count += 1;
88                print_event(&event, event_count);
89            }
90            Err(std::sync::mpsc::TryRecvError::Empty) => {
91                thread::sleep(Duration::from_millis(100));
92            }
93            Err(std::sync::mpsc::TryRecvError::Disconnected) => {
94                println!("\nEvent channel disconnected!");
95                break;
96            }
97        }
98
99        // Auto-stop after 60 seconds for demo
100        if start_time.elapsed() > Duration::from_secs(60) {
101            println!("\nDemo timeout (60s) - stopping...");
102            break;
103        }
104    }
105
106    // Cleanup
107    println!("\nCleaning up...");
108    FilterBuilder::delete_filter(&engine, filter_id)?;
109    println!("   Filter removed");
110    drop(event_subscription);
111    println!("   Event subscription closed");
112    drop(engine);
113    println!("   Engine session closed\n");
114
115    println!("Demo complete! {} events captured.", event_count);
116    Ok(())
117}
Source

pub fn with_protocol(self, protocol: Protocol) -> Self

Set the protocol to filter

Source

pub fn with_remote_port(self, port: u16) -> Self

Set the remote port to filter

Source

pub fn with_local_port(self, port: u16) -> Self

Set the local port to filter

Source

pub fn with_remote_ip(self, ip: IpAddrMask) -> Self

Set the remote IP address with CIDR mask

Source

pub fn with_local_ip(self, ip: IpAddrMask) -> Self

Set the local IP address with CIDR mask

Source

pub fn with_service_name(self, name: impl Into<String>) -> Self

Set the Windows service name

Source

pub fn with_app_container_sid(self, sid: impl Into<String>) -> Self

Set the AppContainer SID

Source

pub fn block_all_outbound() -> Self

Block all outbound traffic (no conditions)

Source

pub fn allow_all_outbound() -> Self

Allow all outbound traffic (no conditions)

Source

pub fn block_all_inbound() -> Self

Block all inbound traffic (no conditions)

Source

pub fn default_block() -> Self

Default block rule (lowest priority catch-all)

Trait Implementations§

Source§

impl Clone for FilterRule

Source§

fn clone(&self) -> FilterRule

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for FilterRule

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.